Rate Limits
Limits are tracked at three granularities. The most-restrictive one wins.
Per-token
| Tier | Requests / minute | Requests / day |
|---|---|---|
| Free | 60 | 5,000 |
| Starter | 120 | 10,000 |
| Pro | 600 | 100,000 |
| Business | 1,200 | 1,000,000 |
| Enterprise | Custom | Custom |
Per-workspace
Same as per-token but counted across every token in the workspace, so two backend services sharing a workspace API key can saturate the budget faster than one.
Per-IP
Anti-abuse cap for unauthenticated traffic and signup paths:
POST /v1/auth/signup: 5 per IP per hour- Unauthenticated reads: 60 per IP per minute
Headers
Every response carries:
X-RateLimit-Limit: 600
X-RateLimit-Remaining: 587
X-RateLimit-Reset: 1735689600Reset is a Unix epoch second. On 429 Too Many Requests we also set
Retry-After (seconds).
What to do when you hit a limit
- Honour
Retry-Afterif present. - Otherwise, exponential backoff with jitter.
- If you legitimately need more — talk to us. Enterprise plans get custom budgets and dedicated edge tier (no shared rate-limit namespace).
The redirect path (elido.me) is on a separate budget — short-link
clicks are not gated by your API key’s rate limit. The redirect’s own
DDoS protection is handled at the edge.